Get the 411 on Spyware
NMoreira Ransomware Removal Guide
NMoreira Ransomware will not allow you to access most of your files because this malicious infection encrypts them. It belongs to an ever-growing group of encrypting ransomware applications. In contrast with most of the malicious infections that try to hide their presence, this one is very explicit. The reason is that the criminals behind it need you to pay the ransom fee as soon as possible. However, you should not succumb to their threats. You need to protect your system and your wallet from malicious exploitation by removing NMoreira Ransomware today. If you scroll down to the bottom of this article, you will find out how to terminate the infection manually.
Albeit the exact distribution method is not clear, it is very likely that this program spreads in spam email attachments. Spam is the most common distribution method employed by such infections. Users are also often tricked into opening such attachments because they look like legitimate documents from online stores or financial institutions. Of course, users understand that they have been scammed once the ransom notification appears on their screens, but that is already where there the prevention methods no longer work, and where you have to go into an all-out battle mode.
During our research, we have found that NMoreira Ransomware is created by XRatTeam, and this program mostly targets users who speak Portuguese. Of course, that is obvious since the ransom note is displayed entirely in the language. Once the program enters a target computer, it is bound to run a system scan, searching for the files it can encrypt. The number of files a ransomware program can encrypt differs from a program to a program. As far as this application is concerned, we know that it encrypts files from %USERPROFILE% and %ALLUSERPROFILE% directories. So all the files, folders, and subfolders in these directories are subjected to file encryption.
As the infection progresses, this program does not create a Point of Execution, but it does leave two registry keys that are used to initiate a padlock icon and the execution command. The padlock icon is used for all the encrypted files, just like the .maktub extension. This extension looks like it is associated with the Maktub Ransomware, but the developers of both infections are not the same people. So it is rather peculiar as to why NMoreira Ransomware makes use of this name.
To announce its presence, the ransomware creates a ransom note on your desktop. The file name is "Recupere seus arquivos. Leia-me!.txt". The criminals behind this infection claim that you must contact them via the given email address with the Public key that is listed in the note. Supposedly, once the connection is established, the criminals will let you know how much you need to pay to restore your files.
Once the encryption is complete, the malware file tends to delete itself, so it might seem that there is nothing to remove. However, you still need to terminate the registry entries left by NMoreira Ransomware, and you also have to do something with your files.
The easiest way to get your files back is to delete the infected files, remove NMoreira Ransomware, and then transfer healthy copies of your files from a backup to your computer. Also, you should make it a routine to scan your computer with a security application.
How to Delete NMoreira Ransomware
- Go to the Downloads folder.
- Locate the most recently launched file (if it is present).
- Press Win+R and the Run prompt will open.
- Type regedit into the Open box. Click OK.
- Open HKEY_CLASSES_ROOT and delete the .maktub key.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Classes.
- Right-click and delete the .maktub key under Classes.
